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PAIRING THE VOLCANO 



SORINA lONICA AND ANTOINE JOUX 



Abstract. Isogeny volcanoes are graphs whose vertices are eUiptic curves and 
whose edges are ^-isogenics. Algorithms allowing to travel on these graphs were 
developed by Kohel in his thesis (1996) and later on, by Fouquet and Morain 
(2001). However, up to now, no method was known, to predict, before taking a 
step on the volcano, the direction of this step. Hence, in Kohel's and Fouquet- 
Morain algorithms, many steps are taken before choosing the right direction. 
In particular, ascending or horizontal isogenics are usually found using a trial- 
and-error approach. In this paper, we propose an alternative method that 
efficiently finds all points P of order £ such that the subgroup generated by 
P is the kernel of an horizontal or an ascending isogeny. In many cases, our 
method is faster than previous methods. This is an extended version of a paper 
published in the proceedings of ANTS 2010. In addition, we treat the case of 
2-isogeny volcanoes and we derive from the group structure of the curve and 
the pairing a new invariant of the endomorphism class of an elliptic curve. 
Our benchmarks show that the resulting algorithm for endomorphism ring 
computation is faster than Kohel's method for computing the £-adic valuation 
of the conductor of the endomorphism ring for small £. 



1. Introduction 

Let E be an elliptic curve defined over a finite field F,, where q = is a prime 
power. Let tt be the Frobeiiius endomorphism, i.e., 7r(a;,y) i— >■ {x'^,y'^) and denote 
by t its trace. Assume that E is an ordinary curve and let Oe denotes its ring 
of endomorphisms. We know [221 Th. V.3.1] that Oe is an order in an imaginary 
quadratic field K. Let d-,^ = — 4g be the discriminant of tt. We can write 

= g^dx, where dpc is the discriminant of the quadratic field K. There are only a 
finite number of possibilities for O^, since Z[7r] C Oe C O^^. Indeed, this requires 
that /, the conductor of O^, divides g. the conductor of Z[7r]. The cardinality 
of E over is ^E{¥q) = q + 1 — t. Two isogenous elliptic curves over F, have 
the same cardinality, and thus the same trace t. In his thesis [14], Kohel studies 
how curves in Ellt(Fq), the set of curves defined over F^ with trace t, are related 
via isogenics of degree £. More precisely, he describes the structure of the graph 
of ^-isogenics defined on Ellt(Fg). He relates this graph to orders in Ok and uses 
modular polynomials to find the conductor of End(i?). 

Fouquet and Morain [5] call the connected components of this graph isogeny 
volcanoes and show that it is possible to travel through these structures using 
modular polynomials, even without knowing the cardinality of the curve. Moreover, 
they compute the €-adic valuation of the trace t, for £\g and hence obtain some 
information on the cardinality of the curve. Recently, more applications of isogeny 
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volcanoes were found: the computation of Hilbert class polynomials [U [24], of 
modular polynomials [3J and of endomorphism rings of elliptic curves [2] . 

All the above methods make use of algorithms for traveling efficiently on vol- 
canoes. These algorithms need to walk on the crater, to descend from the crater 
to the floor or to ascend from the floor to the crater. In many cases, the struc- 
ture of the ^-Sylow subgroup of the elliptic curve, allows one, after taking a step 
on the volcano, to decide whether this step is ascending, descending or horizontal 
(see [T71 US]). Note that, since a large fraction of isogenics are descending, find- 
ing one of them is quite easy. However, no known method can find horizontal or 
ascending isogenics without using a trial-and-error approach. In this paper, we 
describe a first solution to this open problem, which applies when the cardinality 
of the curve is known, and propose a method that efficiently finds a point P of 
order i that spans the kernel of an ascending (or horizontal isogeny) . Our approach 
relies on the computation of a small number of pairings. We then show that our 
algorithms for traveling on the volcano are, in many cases, faster than the ones 
from [14J and [8J. In addition, we obtain a simple method that detects most curves 
on the crater of their volcano. Until now, the only curves that were easily identified 
were those on the floor of volcanoes. Finally, we introduce an invariant for curves 
lying at the same level in the ^-volcano. In order to compute this invariant, we 
need to compute the group structure and a few pairings. This paper is organized as 
follows: Sections[2]and[3]present deflnitions and properties of isogeny volcanoes and 
pairings. Section |4] explains our method to find ascending or horizontal isogenics 
using pairing computations. Finally, in Section [5l we use this method to improve 
the algorithms for ascending a volcano, for walking on its crater and for computing 
the ^-adic valuation of the conductor of the endomorphism ring. 

2. Background on isogeny volcanoes 

In this paper, we rely on some results from complex multiplication theory and on 
Deuring's lifting theorems. We denote by Effd(C) the set of C-isomorphism classes 
of elliptic curves whose endomorphism ring is the order Od, with discriminant 
d < 0. In this setting, there is an action of the class group of Od on 'EU d{'C). Let 
E £ T.U d{C), A its corresponding lattice and a an Od-ideal. We have a canonical 
homomorphism from C/A to C/a~^A which induces an isogeny usually denoted 
hy E ^ a* E. This action on •£[[ d{'C) is transitive and free [231 Prop. II. 1.2]. 
Moreover [23, Cor. II. 1.5], the degree of the application E ^ a * ii^ is N{a), the 
norm of the ideal a. 

Let Fq be a finite field, with q — and p a prime number. We denote by 
T.U d{^q) the set of isomorphism classes of elliptic curves defined over F,, having 
endomorphism ring Od- From Deuring's theorems [6], if p is a prime number that 
splits completely in the ring class field of O^, we get a bijection T.CC d{C) — )■ "ECC d(Pq)- 
Furthermore, the class group action in characteristic zero respects this bijection, 
and we get an action of the class group also on Effd(Fg). 

2.1. Isogeny volcanoes. Consider an elliptic curve E defined over a finite field 
¥q. Let £ he a prime different from char(Fq) and I : E ^ E be an £-isogeny, i.e. 
an isogeny of degree I. We denote by Od and Od' the endomorphism rings of E 
and E' , respectively. As shown in [14], this means that Od contains O^' or O^' 
contains Od or the two endomorphism rings coincide. If Od contains O^' , we say 
that / is a descending isogeny. Otherwise, if Od is contained in C^' , we say that / 
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is a ascending isogeiiy. If Od and O^' are equal, then we call the isogeny horizontal. 
In his thesis, Kohel shows that horizontal isogenics exist only if the conductor of 
Od is not divisible by £. Moreover, in this case there are exactly (j) + 1 horizontal 
^-isogenics, where d is the discriminant of Od- If (f ) = 1, then £ is split in Od and 

the two horizontal isogenies correspond to the two actions E i*E and £' ^ l*E, 
where the two ideals [ and [ satisfy {£) = I [. In a similar way, if (f ) = 0, then £ IS 
ramified, i.e. {£) = P and there is exactly one horizontal isogeny starting from E. In 
order to describe the structure of the graph whose vertices are (isomorphism classes 
of) elliptic curves with a fixed number of points and whose edges are ^-isogenics, 
we recall the following definition [23] . 

Definition 2.1. An volcano is a connected undirected graph with vertices parti- 
tioned into levels Vq, . . . ,Vh, in which the subgraph on Vq (the crater) is a regular 
connected graph of degree at most 2 and 

(a) For z > 0, each vertex in Vi has exactly one edge leading to a vertex in 

and every edge not on the crater is of this form. 

(b) For i < h, each vertex in Vi has degree £ + 1. 

We call the level Vh the floor of the volcano. Vertices lying on the floor have 
degree 1. The following proposition [53] follows essentially from [14, Prop. 23]. 

Proposition 2.2. Let p be a prime number, q — p^ , and d^ — t'^ — Aq. Take 
£ ^ p another prime number. Let G be the undirected graph with vertex set Ellt(Fq) 
and edges i?-isogenies defined over F^. We denote by £^ the largest power of £ 
dividing the conductor of d-^. Then the connected components of G that do not 
contain curves with j-invariant or 1728 are £- volcanoes of height h and for each 
component V, we have : 

(a) The elliptic curves whose j-invariants lie in Vq have endomorphism rings 
isomorphic to some Odg 3 Cd„ whose conductor is not divisible by £. 

(b) The elliptic curves whose j-invariants lie in Vi have endomorphism rings 
isomorphic to O^. , where di = ^^'do- 

Elliptic curves are determined by their j-invariant, up to a twisiQ. Throughout 
the paper, we refer to a vertex in a volcano by giving the curve or its ^'-invariant. 

2.2. Exploring the volcano. Given a curve E on an ^-volcano, two methods 
are known to find its neighbours. The first method relies on the use of modular 
polynomials. The ^-th modular polynomial, denoted by ^i{X,Y) is a polynomial 
with integer coefficients. It satisfies the following property: given two elliptic curves 
E and E' with j-invariants j{E) and j{E') in ¥g, there is an ^-isogeny from E to 
E' defined over F,, if and only if, #E{¥g) = #E'{¥g) and <^>i{j{E), j{E')) = 0. As 
a consequence, the curves related to E via an £-isogeny can be found by solving 
^i{X,j{E)) = 0. As stated in [21], this polynomial^ may have 0, 1, 2 or ^-|- 1 roots 
in ¥q. Ill order to find an edge on the volcano, it suffices to find a root j' of this 
polynomial. Finally, if we need the equation of the curve E' with j-invariant j' , we 
may use the formula in [21|. 

The second method to build £-isogenous curves constructs, given a point P of 
order £ on E, the ^-isogeny I : E E' whose kernel G is generated by P using 

^For a definition of twists of elliptic curves, refer to |22| . 

^The case where the modular polynomial does not have any root corresponds to a degenerate 
case of isogeny volcanoes containing a single curve and no £-isogenies. 
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Figure 1 . A regular volcano 



Vein's classical formulae in an extension field Fgr . To use this approach, we need 
the explicit coordinates of points of order £ on E. We denote byGi, l<i<£+l, 
the £ + 1 subgroups of order £ of E. Miret et al. [18] give the degree of the 
smallest extension field of such that Gi C Fg»-i , 1 < i < i + 1. This degree is 
related to the order of q in the group F|, that we denote by OTde{q). 

Proposition 2.3. Let E defined over ¥q be an elliptic curve with k rational £- 
isogenics, with £ > 2. Let Gi, 1 < i < n, be the kernels of these isogenics, and let 
ri be the minimum value for which Gi C i?(Fgi-i). 

(a) If K ~ 1 then ri — ordi[q) or ri — 2ordi[q). 

(b) If K — £ + I then cither ri ~ ordf^{q) for all i, or ri — 2ordi[q) for all i. 

(c) // K = 2 then ri\£ - 1 for i^l,2. 

In some cases, if the ^-torsion is not defined over F^, it may be preferable to 
replace the curve by its twist, if the i!-torsion of the twist is defined over an extension 
field of smaller degree. We also need the following corollary ]TS\ . 

Corollary 2.4. Let E/¥q be an elliptic curve over ¥q and E its quadratic twist. 
If E/¥g has 1 or £ + I rational £-isogenies, then 4j^E{¥ ^ord^q) or fl:E{¥ ^ordfq) is a 
multiple of £. Moreover, if there are £+1 rational isogenics, then it is a multiple 

ofe. 

2.3. The group structure of the elliptic curve on the volcano. Lenstra |13| 
relates the group structure of an elliptic curve to its endomorphism ring by proving 
that E{¥^ ~ OeI{t^ — 1) as Os-modules. It is thus natural to see how this 
structure relates to the isogeny volcano. From Lenstra's equation, we can deduce 
that E{¥q) ~ Z/MZ x Z/7VZ, for some positive integers TV and M with iV|Af . We 
denote by g the conductor of Z[7r] and we write tt = a + gui, with: 

{t-g)/2 , \ iidK = l (mod 4) 

^ " and Ll) — ' ' 



V2 I ifd;f = (mod 4) 



where is the discriminant of the quadratic imaginary field containing Oe- Note 
that N is maximal such that E\N\ C E{¥q) and by |201 Lemma 1] we get that 
N — gcd(a — l,g/f), with / the conductor of End(£'). Note moreover that N\M, 
N\{q—1) and MN = ^E{¥q). This implies that on an ^-volcano the group structure 
of all the curves in a given level is the same. 

Let be a curve on the isogeny volcano such that ve{N) < vi{M). As explained 
in [17] (in the case £ = 2, but the result is general), a is such that vi{a — 1) > 
m:m{vt{g),vi{4^E{¥q))/2}. 



PAIRING THE VOLCANO 



5 



Since N = gcd(a - l,g/f) and vi{N) < vi{#E{¥q)) 12, it follows that vt{N) = 
vi{g/ f ). As we descend, the valuation at £ of the conductor / increases by 1 at 
each level (by Proposition 12.2b ). This implies that the valuation of N for curves 
at each level decreases by 1 and is equal to for curves lying on the floor. Note that 
if ve{ifE{¥q)) is even and the height h of the volcano is greater than ve{i^E{¥q)), 
the structure of the £-torsion group is unaltered from the crater down to the level 
h — V({^E{¥q))/2. From this level down, the structure of the ^-torsion groups starts 
changing as explained above. In the sequel, we call this level the first stability level^ 
A volcano with first stability level equal to 0, i.e. on the crater, is called regular 
(see Figure [IJ. 

Notations. Let n > 0. We denote by E[i^] the ^"-torsion subgroup, i.e. the 
subgroup of points of order dividing on the curve E, by E[£^]{¥qk) the subgroup 
of points of order dividing defined over an extension field of and by (Fg) 
the ^-Sylow subgroup of E(Fq). 

3. Background on pairings 

Let E be an elliptic curve defined over some finite field F^, m an integer such 
that m\^E{¥q). Let k be the embedding degree, i.e. the smallest integer such 
that m\q'' - 1. Let P G E[m]{¥qk) and Q G E{¥qk)/mE{¥qk). Let f^^p be the 
function whose divisoiQ is m{P) — m{0), where O is the point at infinity of the 
curve E. Take R a random point in E{¥qk) such that the support of the divisor 
D = {Q + R) — {R) is disjoint from the support of f,n,p- Then we can define the 
Tate pairing as follows: 

tm:E[m](¥q.)x E(¥qk)/mE{¥qk) ^ F;./(F;.)" 

(p,g) ^ fmAQ + R)/frnAR)- 

The Tate pairing is a bilinear non-degenerate map, i.e. for all P G E[m]{¥qk) 
different from O there is a g e E{¥qk)/mE{¥qk) such that T^(P,Q) ^ 1. The 
output of the pairing is only defined up to a coset of (F*^)™. However, for imple- 
mentation purposes, it is useful to have a uniquely defined value and to use the 
reduced Tate pairing, i.e. Tm{P,Q) = tm{P,QY'^^^'^^™' G /im, where /i,„ denotes 
the group of m-th roots of unity. Pairing computation can be done in 0(log m) 
operations in ¥q using Miller's algorithm [16]. For more details and properties of 
pairings, the reader can refer to [S]. Note that in the recent years, in view of cryp- 
tographic applications, many implementation techniques have been developed and 
pairings on elliptic curves can be computed very efficientljQ. 

In the remainder of this paper we assume that the embedding degree is always 1, 
i.e. m\q — 1. We will denote by fc a different integer. Suppose now that m — £" , 
with n > 1 and £ prime. Now let P and Q be two f"-torsion points on E. We 
define the following symmetric pairing |12) 

(3.1) s{p,Q) = (r,„(p,g)r,„(Q,p))i 

Note that for any point P, Tin[P,P) = S{P,P). In the remainder of this paper, 
we call S{P, P) the self-pairing of P. We focus on the case where the pairing S is 



'Miret et al. call it simply the stability level. 
'For background on divisors, see 1221 . 
'See |10] for a fast recent implementation. 
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non-constant. Suppose now that P and Q are two linearly independent ^"-torsion 
points. Then all ^"-torsion points R can be expressed as R = aP + bQ. Using 
bilinearity and symmetry of the S'-pairing, we get 

\og{S{R, R)) = log{S{P, P)) + 2ab log(5(P, Q)) + log{S{Q, Q)) (mod T ), 

where log is a discrete logarithm function in /i^n. We denote by k{E) the largest 
integer such that the polynomial 

(3.2) r{a, b) = a2 \og{S{P, P)) + 2ab log(5(P, Q)) + b^ \og{S{Q, Q)) 

is identically zero modulo £^-HE)-i g^j-^^j nonzero modulo Obviously, since 

S is non-constant we have < k{E) < n. Dividing by -^ve may thus view 

7^ as a polynomial in ¥e[a, b]. When we want to emphasize the choice of E and 
we write Ve,£" instead of V. 

Since is a non-zero quadratic polynomial, it has at most two homogeneous 
roots, which means that from all the £ + 1 subgroups of E[i"]/ E[£"-'^] ~ (Z/^Z)2, 
at most 2 have self-pairings in /i^fc(E) (see also [12]). In the remainder of this paper, 
we denote by Ne,^'^ the number of zeros of VE,t^- Note that this number does not 
depend on the choice of the two generators P and Q of the ^"-torsion subgroup 
E[P^]. Moreover, we say that a ^"-torsion point R has degenerate self-pairing if 
Ten[R,R) is a £*''^^^-th root of unity and that R has non-degenerate self-pairing if 
Tin(R,R) is a primitive i''^(^)+^-th root of unity. Also, if T£n{R,R) is a primitive 
£"-th root of unity, we say that R has primitive self-pairing. 

4. Determining directions on the volcano 

In this section, we explain how we can distinguish between different directions 
on the volcano by making use of pairings. Given a point P G E[i^](¥g), we also 
need to know the degree of the smallest extension field containing an £"+^-torsion 
point such that £P = P. The following result is taken from [7]. 

Proposition 4.1. Let £ > 2 and E/¥q be an elliptic curve which lies on an £- 
volcano whose height h(V) is different from 0. Then the height ofV', the £-volcano 
of the curve E/¥qs is h{V') = h(y) + Vi{s). 

From this proposition, it follows easily that if the structure of the subgroup 
E[£°°]{¥g) on the curve E is Z/£"iZ x I./£"^Z, then the smallest extension K of 
such that E[£°°]{K) is not isomorphic to E[£°°]{¥g) is F^^. 

Proposition 4.2. Let £ > 2 and E/¥q be an elliptic curve with E[£°°]{¥q) ~ 
Z/r^Z X Z/r^Z, with 712 > 1. Then 

E[£°°]{¥qi) ~ z/r^+^z X z/r^+^z. 

Proof. Note that E lies on an i?- volcano V/¥q of height at least n2. We consider 
a curve E' lying on the floor of V/¥q such that there is a descending path of 
isogenics between E and E' . Obviously, we have E'[£°°](¥q) ~ Z/ri+"^Z. By 
Proposition 14. H V/¥qi has one extra down level, which means that the curve E' is 
no longer on the floor, but on the level just above the floor. Consequently, we have 
that E'[£] C E'{¥qi) and, moreover, E'[£°°](¥qi) ~ Z/£"^+"^+^Z x Z/£Z. 

We now show that A = 1. Note first that - 1 and that Vi{q'^ - 1) = 

vi{q - 1) + 1. We denote by P a point of order on the curve E' /¥qt. 
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Then, without restraining the generahty, we may assume that 

(4.1) T^f.^\r^+^p,e^p) = /,„,,,„,+Ap(£^p)f-^ e 

and 

(4.2) T^!f^\{r^+^-'P,P) = ,„,+A_ip(P)^ e 

By using the bihnearity of the pairing and the fact that fi^^+i^ji = ffn2 r for ^ 
point of order (up to a constant), we get from Equation (|4.ip 

By using Equahty (|4.ip . this is true if and only if A = 1. By ascending on the 
volcano from E' to E, we deduce that the structure of the ^-torsion of E over W^e 
is necessarily 

E[£°°]{¥ge) ~ Z/r^+^Z X Z/^"^+iZ. 

□ 

Remark 4.3. If = 2, the only problematic case is when the ^-adic valuation of the 
conductor of Z[7r] is 1. In all the other cases, the volcano gets exactly one extra level 
over Fq2 (see [Jj). Reasoning as in the proof of Proposition 14.21 we get that for a 
curve S on a 2-volcano of height at least 2 such that E[2°°](¥g) ~ Z/2"iZx Z/2"2Z, 
the 2-Sylow group structure over ¥q2 is 

E[2°°]{¥q2) ~ Z/2"i+^Z X Z/2"=+iZ. 

However, the following example shows that when ^ = 2, A is not always 1. 

Example 4.4. Let E be an an elliptic curve defined over with q = 257 given 
by the equation 

= + 206^2 + 221j; + 33. 
Then E[2°°][¥q] ~ Z/2Z x Z/2Z and £;[2°°][Fq2] ~ Z/24Z x Z/22Z. 

Remark 4.5. We note that in the general context of ordinary abelian varieties, 
Freeman and Lauter [TS] proved that if the ^"-torsion is defined over a finite field 
¥q, then the £""'"^-torsion is defined over F^f. 

We give some lemmas explaining the relations between pairings on two isogenous 
curves. 

Lemma 4.6. Suppose E/¥q is an elliptic curve and P,Q are points in E(¥q) of 
order n > I. Denote by P,Q £ E\¥q] two points such that £P — P and £Q = Q. 
Suppose that £"'\q — 1. Then we have the following relations for the Tate pairing 

(a) IfP,Qe E[¥q], then Ti^+i{P,QY" = Tt^{P,Q). 

(b) Suppose £>?,. IfQ€ E[¥qi]\E[¥q], then Ti^+i{P,QY ^ r<,.(P,Q). 

(c) Let£^2 andQe £;[F,2]\£;[F,] . ThenT^^^P ,QY = Ts- (P, Q)r2'. (P, T), 
where T is a point of order 2. 

Proof, (a) By writing down the divisors of the functions f^n+i p, fgn p, fe^.p, one 
can easily check that 
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We evaluate these functions at some points Q + R and R (where R is carefully 
chosen) and raise the equality to the power {q — l)/£". 

(b) Due to the equality on divisors div(/^„+i p) = div(/^„ p). we have 

(F i) 

where T^„ ' is the ^"-Tate pairing for E defined over W^t . It suffices then to show 
that T^y \p, Q) = Ti,.{P, Q). We have 

= fir^AiQ + R) + iAQ) + R) + i^HQ) + i?) + • ■ • 

(4.3) + in'-\Q) + R) ^ iiR))^ 

where i? is a random point defined over F^. It is now easy to see that for ^ > 3, 

(4.4) Q + tt{Q) + ir^Q) + ... + 7:'-\Q) =IQ = Q, 

because ^{Q) = Q + T, where T is a point of order £. By applying Weil's reciprocity 
law p21 Ex. II. 2. 11], it follows that the equation (|4.3p becomes: 

(4.5) T^y{p.Q) ^ ( ^^);^^^(+'^^ )'^/((p)-(Q))^-\ 

where / is such that div(/) = {Q+R) + {tt{Q)+R) + {t:'^{Q)+R)+...+{tt'^-^{Q)+R)- 
iQ+T+R)~-{e~l){R). Note that this divisor is F,-rational, so /((P)-(0))«-i = 1. 
This concludes the proof. 

(c) The sum at (|4.4I) becomes 

(4.6) Q + tt{Q)=Q + T, 

where T is a point of order 2. Consequently, we have an equation similar to equa- 
tion (113]) 

Ti!'^\p,Q). (^l^gi^)'^/((P)-(0))-\ 

where / is such that div(/) = {Q + R) + (7r(Q) + R) - {Q + T + R) - (R). We know 
that / is rational, hence f{{P) — {0)Y^^ = 1. We conclude that 

r2,.+i(P,Q)2 = T2.[P,Q)T2^{P,T). 

□ 

Lemma 4.7. Let (j) : E ^ E' he a separable isogeny defined over a finite field Vq, 
£ e Z such that £\q — 1. 

(a) Denote by d the degree of the isogeny and by P an £-torsion on the curve 
E such that 4>{P) is an £-torsion point on E' , and Q a point on E. Then 
we have 

n{cj,{P),<p{Q))^T,{P,QY. 

(b) Let (p : E E' be a separable isogeny of degree £ defined over Vq, P a 
££' -torsion point such that Ker <j) — {£' P) and Q a point on the curve E. 
Then we have 

Ti{<p{P),m))=Tu'iP,QY. 
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Proof, (a) We have 

WHfiMP)) = e E {{P + K)-iK)) = e J2 iiP)~m 



KeKcrrj} KeKor<# 

Ik,p 



div n 



, A'eKcr< 



VK+P 



where Ik.p is the straight hne passing through K and P and vk+p is the vertical 
hne passing through K + P. It fohows that for some point S on E 



IkAS) 



We obtain the desired formula by evaluating the equality above at two points care- 
fully chosen Q + R and R, and then by raising to the power 
(b) This time we have 

W*(/.',0(P)) = ^' E iiP + K)-{K))=i' E iiP)-iO)) 

KeKcTcf, KeKercf, 
/. 

iK,P 



-div 



n 



V 



, Vk+P 



Since #Ker0 = £, we get 

° ^(Q) = /«',p(g) f n ^Jffi!!) 

We raise this equality to the power 2^ and get the announced result. □ 

Proposition 4.8. Let E he an elliptic curve defined a finite field ¥q and assume 
that E[£-^]{Vq) IS isomorphic to Z/r^Z x Z/^^Z (with ni > 712 > I)- Suppose 
that there is a i"'^ -torsion point P such that T^^z^P^P) is a primitive £"'^ -th root 
of unity. Then the l-isogeny whose kernel is generated by g'^^^^p is descending. 
Moreover, the curve E does not lie above the first stability level of the corresponding 
l-volcano. 

Proof. Let /i : i? — > i?i be the isogeny whose kernel is generated by £"2-ip qj^^ 
suppose this isogeny is ascending or horizontal. This means that is defined 

over ¥q. Take Q another £"2_torsion point on E, such that = {P,Q) and 

denote by Qi = Ii{Q). One can easily check that the dual of Ii has kernel generated 
by It follows that there is a point Pi G £'i[r^] such that P = h{Pi). 

By Lemma [4.71 this means that Tg{P,P) e /x^na-i, which is false. This proves not 
only that the isogeny is descending, but also that the structure of the ^-torsion is 
different at the level of Ei. Hence E cannot be above the stability level. □ 

Proposition 4.9. Let E/¥q be a curve which lies in an (-volcano and on the first 
stability level. Suppose E[£'^]{¥q) ~ Z/r^Z x Z/T^Z, ni > > 1. 

(a) Suppose £ > 3. Then there is at least one (""^ -torsion point E{¥q) with 
primitive self-pairing. 
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(b) If £ ~ 2 and the height of the volcano is greater than 1, then there is at 
least one P^'^ -torsion point E(¥q) with primitive self-pairing. 

Proof, (a) Let P be a f"i-torsioii point and Q be a ^"^-torsion point such that 
{P,g} generates E[(.'^]{¥q). 

Case 1. Suppose ni > 712 > 2. Let E Ei be a descending ^-isogeny and denote 
by Pi and Qi the ^"1+^ and ^"^"^-torsion points generating Ei[£°°]{¥p). Moreover, 
without loss of generahty, we may assume that /i(P) — iPi and Ii{Q) ^ Qi- If 
Tfn2-i {Qi, Qi) is a primitive ^"^"^-th root of unity, Ten2 {Q, Q) is a primitive £"^-th. 
root of unity by Lemma 14.71 If not, from the non-degeneration of the pairing, we 
deduce that Tgn2-i{Qi, Pi) is a primitive €"^~^-th root of unity, which means that 
Tin2-i{Qi,iPi) is a £"^~^-th primitive root of unity. By applying Lemma [4.71 we 
get Tin2{Q,P) £ fJ,in2-i at best. It follows that Tf"2(Q,(5) € ne"2 by the non- 
degeneracy of the pairing. 

Case 2. If n2 = 1, then consider the volcano defined over the extension field F^*. 
There is a f ^-torsion point Q € E{¥gi) with Q = £Q. We obviously have i^\q^ — 1 
and from Lemma [4.61 we get Tp.{P.,PY ~ Ti{P,P). By applying Case 1, we get 
that (P, P) is a primitive £^-th. root of unity, so T^(P, P) is a primitive ^-th root 
of unity. 

(b) If 77,2 > 1, the proof is similar to that of (a) Case 1. Suppose now that ^2 = 1. 
Since 4|#£'(F,), we have q + l- t = mod 4. Then t'^ - Aq = {q - if mod 4. 
We deduce that E lies on a 2-volcano with height greater than 1 if and only if 
q=l mod 4. Let E' be a curve on the floor of the ^-volcano such that there is a 
2-ascending isogeny I : E' E. The fact that 4:\q — 1 implies that the 4-th Tate 
pairing is well-defined over ¥q and non-degenerate. We have E'[2°°]{¥q) ~ Z/4Z 
and thus there is a point P e E'[4]{¥q) such that r4(P, P) e /i| and that /(2P) = 0. 
By applying Lemma 14.71 we get that 

Ul{P),l{P))efi;. 

□ 

We now make use of a result on the representation of ideal classes of orders in 
imaginary quadratic fields. This is Corollary 7.17 from [S]. 

Lemma 4.10. Let O be an order in an imaginary quadratic field. Given a nonzero 
integer M , then every ideal class in Cl{0) contains a proper O-ideal whose norm 
is relatively prime to M . 

Proposition 4.11. We use the notations and assumptions from Provosition \2.^ 
Furthermore, we assume that for all curves Ei lying at a fixed level iinV the curve 
structure is Z/£"iZ x Z/£"^Z, with ni > 712 > 1. The value of NEi,i"2, the number 
of zeros of the polynomial defined at p.2[) , is constant for all curves lying at level 
i in the volcano. 

Proof. Let Ei and E2 be two curves lying at level i in the volcano V. Then by 
Proposition 12.21 they both have endomorphism ring isomorphic to some order Od^ . 
Now by taking into account the fact that the action of Cl(Oc;J on d.{¥g) is tran- 
sitive, we consider an isogeny (p : Ei E2 oi degree £1. By applying Lemma [4.101 
we may assume that {£i,() — 1. Take now P and Q two independent -torsion 
points on Ei and denote by Vei,1"2 the quadratic polynomial corresponding to 
the ^"^-torsion on Ei as in 13.21 We use Lemma [4.71 to compute S'((/)(P), ^(P)), 
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S{(l){P),(p{Q)) and S{(p{Q),(p{Q)) and deduce that a polynomial Vsz.i^-iiajb) on 
the curve E2 computed from (p{P) and ^(Q) is such that 

'P_Ei,£"2 (a, b) = 'Pe24"2 (a, b). 

This means that Nei,i^2 and NE2,t^2 coincide, which concludes the proof. More- 
over, we have showed that the value of k{Ei) = k{E2). □ 

Proposition 4.12. Let E be an elliptic curve defined a finite field ¥q and let 
E[e°°]{¥q) be isomorphic to Z/r^Z x Z/r^Z with ni > 712 > 1. Suppose Nej-^^ G 
{1,2} and let P be a P^'^ -torsion point with degenerate self-pairing. Then the l- 
isogeny whose kernel is generated by £"2-ip jg gj^/jg^- ascending or horizontal. 
Moreover, for any i"^ -torsion point Q whose self-pairing is non- degenerate, the 
isogeny with kernel spanned by £"^^^Q is descending. 

Proof Case 1. Suppose Ti,^2{P,P) G A^^m-b), k{E) > 1 and that T^^s (Q, Q) G 
li(^k{E)+i\^i^k{E). Denote hy Ii : E ^ Ei the isogeny whose kernel is generated by 
£n2-ip g^jj(j I2 : E E2 the isogeny whose kernel is generated by £^^~-^Q. By 
repeatedly applying Lemmas 14.61 and 14.71 we get the following relations for points 
generating the ^-torsion on Ei and E2: 

Ti^2-i{h{P),h{P)) G niHE)-i, Ti^2-i{£hiQ)Jh{Q)) & ^J.eM'^■>-2\^J,iHE■,-3 

Tt^2-^{^h{P),il2{P)) e HiHE)-3, Ti^2--i-{l2{Q),h{Q)) & t^eHE)\^J,fM'^)-l 

with the convention that fi^h = whenever h < 0. From the relations above, we 
deduce that on the ^-volcano having E, Ei and E2 as vertices, Ei and E2 do not lie 
at the same level. Given the fact that there are at least i — 1 descending rational 
i!- isogenics parting from E and that Q is any of the £—1 (or more) -torsion points 
with non-degenerate self-pairing, we conclude that Ii is horizontal or ascending and 
that I2 is descending. 

Case 2. Suppose now that k{E) ~ 0. Note that the case n2 — I was already treated 
in Proposition 14.81 If ^2 > 1, we consider the curve E defined over F^e. For £ > 3, 
by Lemma |4. 6b we have k{E) = 1 for points on E/Wgi, and we may apply Case 1. 
The case ^ = 2 is treated inside the proof of Theorem 14.151 □ 

Remark 4.13. If i? is a curve lying under the first stability level and that £'[i'°°] (Fg) ~ 
Z/r^Z X Z/£"^Z, with ni > ^2, then it suffices to find a point Pi of order £"^ and 
the point £"^^^Pi generates the kernel of a horizontal or ascending isogeny (Pi has 
degenerate self-pairing) . 

Corollary 4.14. Let E be a curve on an £-volcano such that the polynomial Ve,1"2 
is non-zero over Fg . If £ is split in the maximal order Od^ , then E is on the crater 
if and only if Ne/^2 is 2. Otherwise, £ is inert in Od^ if and only if Ne,i^2 — 0. 

Two stability levels. Remember that in any irregular volcano, vg{^E{¥q)) is even 
and the height h of the volcano is greater than ve{^E{¥q)). Moreover, all curves 
at the top of the volcano have E[£°°]{¥g) ~ Z/r^Z x Z/^^Z with n2 = ^^MBMl_ 
The existence of a primitive self-pairing of a -torsion point on any curve lying 
on the first stability level implies that the polynomial P is non-zero at every level 
from the first stability level up to the level max(/i-|- 1 — 2n2, 0) (by Lemma l47f|) . We 
call this level the second level of stability. This is illustrated in Figure [2l When the 
second stability level of a volcano is 0, we say that the volcano is almost regular. 
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Consider now E a curve on the second stability level and /:£'—> i?i an ascend- 
ing isogeny. Let P be a £"^-torsion point on E and assume that Ti^^2{P,P) G 
We denote by P e E{¥gi)\E{¥q) a point such that £P = P. By Lemma SI] 
we get Tgn2+i{P,P) is a primitive ^^-th root of unity. It follows by Lemma [4.71 
that Tgn2[I{P),I{P)) is a primitive ^-th root of unity. We deduce that 'Pe-^,i"2+'^ 
corresponding to Ei/¥gi is non-zero. Applying this reasoning repeatedly, we con- 
clude that for every curve E above the second stability level there is an extension 
field Fgfs such that the polynomial Vej"2+^ associated to the curve defined over 
Fgfs is non-zero. We will show that the degree of this extension field characterizes 
uniquely curves lying on a fixed level of the volcano, above the second stability level. 

Let E be an elliptic curve. We suppose that 

E{¥g)[e°°] ~ z/r^z X z/r^z. 

We define Cg^E as follows 

Til, if £■ is under /on the first stability level 

^ _ k{E) + 1, if £' is above the first stability level and 
^'^ I below the second stability level, 

— s + I, if is above the second stability level, 

where s is the smallest integer such that the polynomial V of the curve E defined 
over F^fs is nonzero. 

Theorem 4.15. Let E be an elliptic curve in Ellt(Fg). Then Ci^E is an invariant 
of the level of the curve in its ^-volcano. 

Proof. Case 1. Suppose ^ > 3. If i? lies below the first stability level, then the 
structure of the £-Sylow group of the curve changes from one level to another and 
ni characterizes the level of the curve in its ^-volcano. 

Suppose now that E lies below the crater, on the first stability level or above it. 
Take P and Q two points such that E[i"^] = {P, Q) and we may assume that P 
has non-degenerate self-pairing, i.e. Ten2(P,P) G /i^fc(E)+i\^£fc(E) , and that Q has 
degenerate self-pairing, i.e. Tgn2{Q,Q) G Hik(E). The point ^"^-iq generates the 
kernel of an ascending isogeny I : E ^ E' . We denote by P' = I{P) and, by using 
Lemma \A77\ we get 

Note that P' is such that generates the kernel of /, which is a descending 

isogeny. Consequently, the self-pairing of P' is non-degenerate, which means that 
k{E') = k{E) - 1. By Proposition [4Jl we have that k{E) = n2 - 1 if the curve E 
lies on the first stability level. The reasoning above implies that k{E) = n^ — l for 
all curves lying one level above the first stability level. Iterating this procedure, it 
also follows that as we ascend from the first stability level to the second one, the 
value of k{E) decreases by 1 at each level. In particular, it equals at the second 
stability level and —1 at all levels above the second stability level (all self-pairings 
of curves on these levels are degenerate) . 

Suppose now that £^ is a curve below the crater, on the second stability level or 
above it. We show by induction that if the value of k{E) corresponding to E defined 
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over ¥^t= is 0, then for a curve E' lying one level above the value k{E') is over 
F^fs+i and F^^s+i is the smallest extension field with this property. We suppose 
that 

with Til > n2. We consider P and Q two £"^-torsion points such that {P,Q) — 
E[£'^^] and that P has primitive self-pairing, while Q has degenerate self-pairing. 
We denote hy I : E ^ E' the ascending isogeny whose kernel is generated by 
< r^-iQ > and by P' = I{P). By Lemma gJl we have 

T,™.(P',P') = 1- 

Since £"2-ip' generates the kernel of the dual /, it follows that k{E') = —1 over 
Fgt- . We denote by P e E{¥^is+i ) a point such that £P = P. By Lemma we 
have that 

Tllf_,T\p,P)efi,2\^i,. 

By denoting P" = I{P), we get that 

T,„,+i(P",P") GMf- 

It follows that k{E') = over F^^s+i and this is the smallest extension field with 
this property. 

Case 2. We treat the case I ~2. Suppose that 

E[2°°]{¥q) ~ Z/2"iZ X Z/2"^Z. 

If n2 > 1, then 

E[2°°]{¥q2) ~ Z/2"i+^Z X Z/2"^+iZ. 

We consider points P, Q S P[2"2+i] and P, Q G P[2"2] such that P = 2P and 
Q = 2(5. Then, by Lemma l4!6l we have 

r2..2+i(P,Q)' = ±P2"2(P,Q). 

Hence, if k{E) > 2. the proof is similar to the one of Case 1. We consider the 
curve E such that k{E) = 1 and we take a curve E' lying one level above such that 
there is an ascending isogeny I : E ^ E' . Since k{E) = 1 and the kernel of / is 
degenerate, then there is a point P G E[£"^] such that P' = /(P) generates the 
kernel of /. By Lemma 14771 we get that 

Te^2iP',P')e fil 

Hence the points of the kernel of any descending isogeny starting at E' have self- 
pairings primitive £-th roots of unity. Reasoning as in the case k{E) > 2 over Fq2, 
we get that k{E') = 1 over Fq2. A point generating the kernel of an ascending or 
horizontal isogeny does not have distortion maps (see [4, Thm. 2.1]). Hence we 
have 

(4.7) T^^,+^{Q,Q)=T2r..{Q,Q), 

for Q e E[r'^]{¥q),Q £ E[¥q2] such that £Q ^ Q and that £"^-^Q generates the 
kernel of an ascending isogeny. Since k{E') = 1 for E' defined over ¥q2, we get 
that Tgn2{Q,Q) = 1. We conclude that k{E') — over Fg. By induction, we may 
show in a similar manner that there is an extension field over which all curves lying 
above the second stability level have polynomials V different from zero. If n2 = 1, 
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Figure 2. A level invariant in an volcano 



the first stability level and the second one coincide. If i? is a curve on the first 
stability level of an irregular 2- volcano (i.e. q = I mod 4), we consider the volcano 
defined over ¥^2 . As explained in Remark 14.31 

£:[2°°](F,2) ~ Z/2"i+^Z X Z/2^Z 

and since the curve lies on the first stability level, there are points of order 4 with 
primitive self-pairing, which implies that for any curve lying one level above, the 
polynomial V is different from zero. Over ¥^2, we may reason as in the case 712 > 1 
and show that there is an extension field over which all curves lying above the first 
stability level have polynomials V different from zero. 

Finally, if 712 = 1 and the volcano is regular of height 1 (i.e. q = 3 mod p), it is 
obvious that Ce.s is an invariant at every level of the volcano. □ 

We conclude this section by presenting an algorithm which determines the group 
structure of the £°°-torsion group of a curve E (Algorithm [T|) and also an algo- 
rithm which outputs the kernel of a horizontal (ascending) isogeny from E, when 
E[£'^]{¥g) is given (Algorithm [2| . 

We assume that the height of the volcano is h < 2n2 + 1, or, equivalently, 
that the curve E lies on or below the second stability level, which implies that the 
polynomial V is non-zero at every level in the volcano. This allows us to distinguish 
between different directions of ^-isogenics departing from E. Algorithm [2] computes 
the level in the volcano of the curve E, which is equivalent to computing the level 
invariant C(,^e- 

Of course, similar algorithms can be given for curves lying above the second stability 
level, but in this case we need to consider the volcano over an extension field F^e^ . 
Since computing points defined over extension fields of degree greater than £ is 
expensive, our complexity analysis in Section [5] will show that it is more efficient to 
use Kohel's and Fouquet-Morain algorithms to explore the volcano until the second 
level of stability is reached and to use Algorithms [1] and [2] afterwards. 
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Algorithm 1 Computing tlie structure of tlie ^°°-torsion of E over 
(assuming volcano height > 1) 

Require: A curve E defined over F^, a prime £ 

Compute: Structure Z/T^Z x Z/£"^Z, generators Pi and P2 

1: Check that q = l (mod £) (if not, need to move to extension field: abort) 

2: Let t be the trace of E{¥q) 

3: Check q + 1 — t = (mod £) (if not, consider twist or abort) 

4: Let d-rr —t^ ~ 4g, let z be the largest integer such that ^^|c?7r and h = [|J 

5: Let n be the largest integer such that £"'\q + 1 — t and N = 

6: Take a random point Ri on E{¥q), let Pi = N ■ Ri 

7: Let rii be the smallest integer such that ^"^Pi = 

8: ii Til = n then 

9: Output: Structure is generator Pi. Exit 

{E is on the floor, ascending isogeny with kernel {£^^^Pi)) 
10: end if 

11: Take a random point R2 on E{¥q), let P2 = N ■ R2 and n2 = n — ni 
12: Let a = log^„2Pi(^"'^2) (mod£"i-"2) 
13: if a is undefined then 

14: Goto 6 (r'^P2 does not belong to {P'^Pi)) 
15: end if 

16: Let P2 = P2- aPi 

17: If WeilPairing^(ri^iPi,^"2-iP2) = 1 goto 6 (This checks hnear indepen- 
dence) 

18: Output: Structure is x jt^, generators (Pi,P2) 



5. Walking the volcano: modified algorithms 

As mentioned in the introduction, several applications of isogeny volcanoes have 
recently been proposed. These applications require the ability to walk descending 
and ascending paths on the volcano and also to walk on the crater of the volcano. 
We recall that a path is a sequence of isogenics that never backtracks. We start 
this section with a brief description of existing algorithms for these tasks, based 
on methods given by Kohel [14J and by Fouquet and Morain in [8J. We present 
modified algorithms, which rely on the method presented in Algorithm [2] to find 
ascending or horizontal isogenics and to compute the level invariant C£,e- Then, 
we give complexity analysis for these algorithms and show that in many cases our 
method is competitive. Finally, we give two concrete examples in which the new 
algorithms can walk the crater of an isogeny volcano very efficiently compared to 
existing algorithms. 

A brief description of existing algorithms. Existing algorithms rely on three essen- 
tial properties in isogeny volcanoes. Firstly, it is easy to detect that a curve lies on 
the floor of a volcano, since in that case, there is a single isogeny from this curve. 
Moreover, this isogeny can only be ascending (or horizontal if the height is 0). Sec- 
ondly, if in an arbitrary path in a volcano there is a descending isogeny, then all the 
subsequent isogenics in the path are also descending. Thirdly, from a given curve, 
there is either exactly one ascending isogeny or at most two horizontal ones. As 
a consequence, finding a descending isogeny from any curve is easy: it suffices to 
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Algorithm 2 Finding the level in the volcano and the kernel of ascending or 
horizontal isogenics 

(Assuming curve not on floor and below the second stability level) 

Require: A curve E, its structure j^^z ^ J^z ^'^'^ generators (Pi,P2) 
1: if rii > 712 then 

2: The isogeny with kernel (f^^^^Pi) is ascending or horizontal 
3: To check whether there is another, continue the algorithm 
4: end if 

5: Let g be a primitive £-th root of unity in 
6: Let Qi = ri-"2Fi 

7: Let a = Ti.2{Qi,Qi), b = Te^^iQu P2) ■ Te.2{P2,Qi) and c = r^^2 (P2, -P2) 
8: If (a, 6, c) — (1, 1, 1) abort (Above the second stability level) 
9: Let Count = 0. 
10: repeat 

11: Let a' ~ a, b' ^ b and c' — c 
12: Let a — a^, b — b^ and c = 
13: Let Count = Count + 1 
14: until a — 1 and 6 = 1 and c ~ I 

15: Let La = logg(a'), = logg(fe') and = logg(c') (mod £) 
16: Let V{x, y) = LaX^ + L^xy + L^y'^ (mod I) 

17: If Hi — n2, let Levellnvariant = Count — 1 else Levellnvariant — ni 
18: Output: Level Invariant {Ci^e) is Levellnvariant 

19: If V has no homogenous roots modulo Output: No isogeny (a single point 
on the crater) 

20: If single root {xi,X2) Output: One isogeny with kernel (^"^"^(xiQi + X2P2)) 
21: if V has two roots {xi,X2) and (2/1,2/2) then 

22: Two isogenics with kernel {P''^~\xiQi + 2:2^2)) and {P'^^^{yiQi + 2/2^2)) 
23: end if 



walk three paths in parallel until one path reaches the floor. This shortest path 
is necessarily descending and its length gives the level of the starting curve in the 
volcano. To flnd an ascending or horizontal isogeny, the classical algorithms try all 
possible isogenics until they flnd one which leads to a curve either at the same level 
or above the starting curve. This property is tested by constructing descending 
paths from all the neighbours of the initial curve and picking the curve which gave 
the longest path. 

Note that alternatively, one could walk in parallel all of the £ + 1 paths starting 
from the initial curve and keep the (two) longest as horizontal or ascending. As far 
as we know, this has not been proposed in the literature, but this variant of existing 
algorithms offers a slightly better asymptotic time complexity. For completeness, 
we give a pseudo-code description of this parallel variant of Kohel and Fouquet- 
Morain algorithms as Algorithm [31 

Basic idea of the modified algorithms. In our algorithms, we flrst need to choose a 
large enough extension field to guarantee that the kernels of all required isogenics 
are spanned by ^-torsion points defined on this extension field. As explained in 
Corollary 12.41 the degree r of this extension field is the order of q modulo ^ and it 
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Algorithm 3 Parallel variant of ascending/horizontal step 
(using modular polynomials) 

Require: A j-invariant ja in ¥q, a prime £, the modular polynomial ^e{X,Y). 
1: Let/(a;) = <I>,(A,jo) 
2: Compute Jo the list of roots of f{x) in 
3: If # Jo = Output: "Trivial volcano" Exit 
4: If #Jo = 1 Output: "On the floor, step leads to:", Jo[l] Exit 
5: If #Jo ~ 2 Output: "On the floor, two horizontal steps to:", Jo[l] and Jo[2] 
Exit 

6: Let J ~ Jq. Let J' and K be empty lists. Let Done = false. 
7: repeat 

8: Perform multipoint evaluation of ^i(X, j), for each j e J. Store in list F 
9: for i from 1 to £ + 1 do 

10: Perform partial factorization of F[i\, computing at most two roots ri and 
r2 

11: if F[i] has less than two roots then 

12: Let Done = true. Append _L to K (Reaching floor) 

13: else 

14: If ri e J' then append ri to K else append r2 to K. (Don't backtrack) 

15: end if 
16: end for 

17: Let J' = J, J = K and K be the empty list 
18: until Done 

19: for each i from 1 to £ + 1 such that J[i] ^ _L append Jo[i] to K 
20: Output: "Possible step(s) lead to:" K (One or two outputs) 



can be computed very quickly after factoring I— 1. As usual, we choose an arbitrary 
irreducible polynomial of degree r to represent Fgr . Points of order i are computed 
by running Algorithm [l] this time over Fgr. Once this is done, assuming that we 
are starting from a curve below the second level of stability, we use Algorithm [2] 
to find all ascending or horizontal isogenics from the initial curve. In order to 
walk a descending path, it suffices to choose any other isogeny. Note that, in 
the subsequent steps of a descending path, in the cases where the group structure 
satisfies n\ > n2, it is not necessary to run Algorithm [2] as a whole. Indeed, since 
we know that we are not on the crater, there is a single ascending isogeny and it is 
spanned by £"^~^Pi. Note that in order to determine the level of the curve in the 
volcano and hence the ^-adic valuation of the endomorphism ring we do not need 
to take any steps on the volcano. Indeed, Algorithm [2] computes the level invariant 
Ci^E with three pairing computations and several exponentiations to the power i. 
Finally, above the second stability level, we have two options. In theory, we can 
consider curves over larger extension fields (in order to get polynomials V ^ 0). 
Note that this is too costly in practice. Therefore, we use preexisting algorithms, 
but it is not necessary to follow descending paths all the way to the floor. Instead, 
we can stop these paths at the second stability level, where our methods can be 
used. 

Computing endomorphism rings. Kohel |14| describes a deterministic algorithm to 
compute the endomorphism ring of an elliptic curve. For small values of i and 
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when a large power of t divides the conductor of the endomorphism ring, he uses 
algorithms traveling on isogeny volcanoes to find the shortest path from the curve 
to the floor and thus determine the level of the curve in the volcano. We propose 
replacing the descent to the floor by a computation of the level invariant C^^e- On 
an almost regular volcano this is done by computing the structure of the £-Sylow 
group and then by computing the value of k{E). 

5.1. Complexity analysis. 

Computing a single isogeny. Before analyzing the complete algorithms, we first 
compare the costs of taking a single step on a volcano by using the two methods 
existing in the literature: modular polynomials and classical Vein's formulae. Sup- 
pose that we wish to take a step from a curve E. With the modular polynomial 
approach, we have to evaluate the polynomial f{X) = ^e{X, j{E)) and find its 
roots in ¥q. Assuming that the modular polynomial (modulo the characteristic of 
¥q) is given as input and using asymptotically fast probabilistic algorithms to factor 
f{X), the cost of a step in terms of arithmetic operations in ¥q is 0{£'^ + M{£) \ogq), 
where M{£) denotes the operation count of multiplying polynomials of degree £. In 
this formula, the flrst term corresponds to evaluation of ^i{X, j{Ei^i)) and the 
second term to root finding. 

With Velu's formulae, we need to take into account the fact that the required 
^-torsion points are not necessarily defined over F^. Let r denotes the smallest 
integer such that the required points are all defined over F^r. We know that 1 < 
r < £—1. Using asymptotically efficient algorithms to perform arithmetic operations 
in Fqi-, multiplications in Fgr cost M{r) Fg-operations. Given an i'-torsion point 
P in E{¥qr), the cost of using Velu's formulae is 0{£) operations in F^r. As a 
consequence, in terms of ¥q operations, each isogeny costs 0{£M{r)) operations. 
As a consequence, when q is not too large and r is close to ^, using Velu formulae 
is more expensive by a logarithmic factor. 

Computing an ascending or horizontal path. With the classical algorithms, each 
step in an ascending or horizontal path requires considering all the 0{£) neighbours 
of the curve and testing each of them by walking descending paths of height bounded 
by h. The expected cost of each descending path is 0{h{£^ + M{£) \ogq)) and the 
total cost is 0{h{£^ + £M{£)\ogq)) (see [H [24]). When £ » logg, this cost is 
dominated by the evaluations of the polynomial $^ at each j-invariant. Thus, by 
walking in parallel £+1 paths from the original curve, we can amortize the evaluation 
of $^(X, over many j-invariants using fast multipoint evaluation, see [191 Section 
3.7] or f26], thus replacing £^ by £M{£) \og£ and reducing the complexity of a step 
to 0{h£ M{£){\og£ + \ogq)). However, this increases the memory requirements. 

With our modified algorithms, we need to find the ^""-structure of each curve, 
compute some discrete logarithms in ^-groups, perform a small number of pairing 
computations and compute the roots of VE,e^2 . Except for the computation of 
discrete logarithms, it is clear that all these additional operations are polynomial 
in 712 and \og£ and they take negligible time in practice (see Section [5^ . Using 
generic algorithms, the discrete logarithms cost 0(^/1) operations, and this can be 
reduced to log£ by storing a sorted table of precomputed logarithms. After this is 



Completely splitting f{X) to find all its roots would cost 0(A/{£) log £log g), but this is 
reduced to 0{M{£) log q) because we only need a constant number of roots for each polynomial 

fix). 
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Table 1. Walking the volcano: Order of the expected cost per step 





Descending path 


Ascending/Horizontal 




One step 


Many steps 




MM 

Parallel evaluation 


h{e'' + M{e) \ogq) 


{i'^ + M{e)logq) 


h{£''' + £M{£) logg) 
h£M{£){\og£ + \ogq) 


Regular volcanoes 


Structure determination 


Best case 


\ogq 


\ogq 


Worst case r £/2 


rM{r] 


\ogq 


r M{r ) \ogq 


Regular volcanoes 


Isogeny construction 


Best case 


t 




£ 


Worst case r ^ £/2 


r M (r) 


r M (r) 


Irregular volcanoes 








(worst case) 




No improvement 



done, we have to compute at most two isogenics, ignoring the one that backtracks. 
Thus, the computation of one ascending or horizontal step is dominated by the 
computation of isogenies and costs 0{£M{r)). 

For completeness, we also mention the complexity analysis of Algorithm [TJ The 
dominating step here is the multiplication by N of randomly chosen points. When 
we consider the curve over an extension field Fgr, the expected cost is 0{r\ogq) 
operations in F^r, i.e. 0{rM{r)logq) operations in F,. 

Finally, comparing the two approaches on a regular volcano, we see that even 
in the less favorable case, we gain a factor h compared to the classical algorithms. 
More precisely, the two are comparable, when the height h is small and r is close to 
£. In all the other cases, our modified algorithms are more efficient. This analysis 
is summarized in Table [T] For compactness 0(-)s are omitted from the table. 

Computing endomorphism rings. On a regular volcano, computing the invariant 
Ce^E involves computing the group structure and some pairings. Hence, the ex- 
pected running time of the computation is 0(rM{r)logq + n2log£), while the 
complexity of Kohel's algorithm is 0{h{£^ + M {£) log q)). 

Irregular volcanoes. Consider a fixed value of q and let s = — 1). First of all, 
note that all curves lying on irregular volcanoes satisfy £'^^\q-\-l — t and — 4g. 

For traces that satisfy only the first condition, we obtain a regular volcano. We 
estimate the total number of different traces of elliptic curves lying on ^-volcanoes 
by #{t s.t. + 1 _ t and t e [-2^, 2^]}^^. 
Next, we estimate traces of curves lying on irregular volcanoes by 

#{t s.t. £^'\q+l-t ,£2^+2|t2 - 49 and t e [-2^^, 2^} ^ 

Indeed, by writing q — 1 + ^£'^ and i = 2 + ^£^ + and imposing the condition 

Thus, we estimate the probability of picking a curve whose volcano is not regular, 
among curves lying on volcanoes of height greater than 0, by j^. (This is a crude 
estimate because the number of curves for each trace is proportional to the Hurwitz 
class numbe ^H{e~Aq)). This probability is not negligible for small values of £. 



''See [51 Th. 14.18] for q prime. 
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However, since our method also works everywhere on almost regular volcano, the 
probability of finding a volcano where we need to combine our modified algorithm 
with the classical algorithms is even lower. Furthermore, in some applications, it is 
possible to restrict ourselves to regular volcanoes. 

5.2. Some practical examples. 

A favorable case. In order to demonstrate the potential of the modified algorithm, 
we consider the favorable case of a volcano of height 2, where all the necessary £- 
torsion points are defined over the base field Fp, where p = 619074283342666852501391 
is prime. We choose £ = 100003. 

Let E be the elliptic curve whose Weierstrass equation is 

^x^ + 198950713578094615678321 j;+ 32044133215969807107747. 
The group E[£°°] over Fp has structure -^rg- It is spanned by the point 

P = (110646719734315214798587,521505339992224627932173). 
Taking the ^-isogeny Ii with kernel {£^P), we obtain the curve 

Ei:y^ = x^+ 4762987236949692886444362:+ 260540808216901292162091, 
with structure of the £°°-torsion x ^ and generators 

Pi = (22630045752997075604069, 207694187789705800930332) and 

Qi = (304782745358080727058129,193904829837168032791973). 
The ^-isogeny I2 with kernel {l^Pi) leads to the curve 

E2:y^ =x^ + 21207599576300038652790 x + 471086215466928725193841, 
on the volcano's crater and with structure x and generators 

P2 = (545333002760803067576755, 367548280448276783133614) and 
Q2 = (401515368371004856400951,225420044066280025495795). 

Using pairings on these points, we construct the polynomial: 

V{x, y) = 97540 x^ + 68114 a; y + 38120 y^, 

having homogeneous roots (x, y) = (26568, 1) and (72407, 1). As a consequence, we 
have two horizontal isogenics with kernels (£(26568 P2+(52)) and P2+Q2)) ■ 

We can continue and make a complete walk around the crater which contains 22 
different curves. Using a simple implementation under Magma 2.15-15, a typi- 
cal execution takes about 134 second^ on a single core of an Intel Core 2 Duo 
at 2.66 GHz. Most of the time is taken by the computation of Vein's formulas 
(132 seconds) and the computation of discrete logarithms (1.5 seconds) which are 
not tabulated in the implementation. The computation of pairings only takes 20 
milliseconds. 



°This timing varies between executions. The reason that we first try one root of V, if it 
backtracks on the crater, we need to try the other one. On average, 1.5 root is tried for each step, 
but this varies depending on the random choices. 
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Table 2. Endomorphism ring computation: Benchmarks 



Parameters 


Kohel 


This work 


D = 1009, ^ = 31, /i = 10, r = 1 


1.80 s 


0.01 s 


D = 1009, 101, h^3,r = 10 


1.18 s 


0.75 s 


D = 1009, £ = 31, ft. = 6, r = 5 


1.15 s 


0.33 s 


D = 4 * 919, h = 2,e= 1009, r = 84 




43 s 



A larger example. We have also implemented the computation for £ = 1009 using 
an elliptic curve with j-invariant j — 34098711889917 in the prime field defined by 
p — 953202937996763. The ^-torsion appears in a extension field of degree 84. The 
^-volcano has height two and the crater contains 19 curves. Our implementation 
walks the crater in 20 minutes. More precisely, 750 seconds are needed to generate 
the curves' structures, 450 to compute Vein's formulas, 28 seconds for the pairings 
and 2 seconds for the discrete logarithms. 

Computing the endomorphism ring. Our benchmarks show that our method is very 
efficient in the favorable case, i.e. when the ^-torsion points are defined over the base 
field. Otherwise, if £ is small, the efficiency of our method depends asymptotically 
on the ratio h/r. We have implemented our algorithm and Kohel's method with 
MAGMA and ran experiments for various values of h, r and £. Results are given 
in Table [21 For large £ {£ > 2-'^°), we could not test Kohel's method since modular 
polynomials may not be precomputed with MAGMA. 

An example. For curves such that the index of Z[7r] is divisible by a large power of 
a small prime ^, we use Kohel's algorithm combined with our method to compute 
the largest power of i dividing the conductor of the endomorphism ring. Suppose 
we are given the curve with j-invariant 

jo = 71892495629450480796525055574120577929291359932 

over the prime field defined by 

p = 555574087029024034910907703752286309950415657009. 

The discriminant of Zfvr] is 

d^^2^- 31^" • 1009, 

hence the height of the 31-volcano is 15. The 31-Sylow group structure is x 
and the corresponding k(E) = — 1, hence we may not determine the level of the 
curve in the 31-volcano by using pairings over Fp. We could move to F^e and 
compute pairings over this field, but it is rather expensive. Instead, we use Kohel's 
algorithm to find the shortest path to the second stability level. For each curve 
we consider, we compute the corresponding pairings over Fp to see whether we 
get a polynomial V different from zero. When we get such a polynomial, we stop 
because we have reached the second stability level. For example, a random walk 
in the volcano produces a shortest path to the second stability level given by the 
curves with j-invariants 

ji = 304777814376748778212312171834280090074154445427 and k{Ei) = -1, 
j2 = 191449283692968031770360270038328919070842850348 and k{E2) = -1, 
js = 500824144736236330809586376475032618300606767898 and kiEs) = -1, 



22 



SORINA lONICA AND ANTOINE JOUX 



j4 = 439660047668527271074847223836176503148636315832 and k{Ei) ^ 0. 

The curve i?4 lies on the second stability level, hence we deduce that the 31- 
valuation of the index of Z[7r] in End{E) is 9. 

6. Conclusion and perspectives 

In this paper, we have proposed a method which allows one to determine, given 
a curve E in the regular part of an isogeny volcano and an ^-torsion point P on 
the curve, the type of the ^-isogeny whose kernel is spanned by P. In addition, this 
method permits one to find the ascending isogeny (or horizontal isogenics) from E, 
if a basis for the f-torsion is given. We expect that this method can be used to 
improve the performance of several volcano-based algorithms, such as the compu- 
tation of the Hilbert class polynomial [24J or of modular polynomials [3J. 
Finally, on an ^-volcano, we have given a level invariant which can be determined 
by computing the structure of the i'-Sylow group and a small number of pairings. 
This gives a new method to compute the ^-adic valuation of the conductor of the 
endomorphism ring of an elliptic curve, for small values of ^, and may thus be used 
in algorithms computing the endomorphism ring of an elliptic curve. 
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